How to Fail A Penetration Test
Download
1 / 24

Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

How to Fail A Penetration Test Concepts in Securing a Network. Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA . Background . Sogeti USA Sogeti USA LLC, part of the Sogeti Group, provides information technology services to businesses and public sector organizations.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA ' - atira


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

How to Fail A Penetration Test

Concepts in Securing a Network

Scott Teeters, Jr.

MicroSolved, Inc.

in partnership with

Sogeti USA


Background
Background

  • Sogeti USA

    • Sogeti USA LLC, part of the Sogeti Group, provides information technology services to businesses and public sector organizations.

  • MicroSolved,Inc.

    • MicroSolved, Inc. provides information security services and consulting to Sogeti USA customers.

http://www.secureassure.com


Today s agenda
Today’s Agenda

  • Common issues that cause an organization to fail penetration tests

  • Some suggestions on how an organization may improve their security posture

http://www.secureassure.com


Note:

All ideas mentioned in this presentation also apply to any wireless or modem (dialup) systems as well.

http://www.secureassure.com


Policy issues
>Policy Issues

http://www.secureassure.com


Problems with policies and processes
Problems with Policies and Processes

  • Inconsistent application of policies throughout the organization

  • Poorly designed policies and standards

  • Example: Password are not required for all forms of network and application access

http://www.secureassure.com


Proper use of policies and processes
Proper Use Of Policies and Processes

  • Policies and Processes are developed in accordance with industry standard best practices, and/or an appropriate regulatory guideline

  • Policies are broad enough to establish the expected behavior in the user population

  • Policies are consistently applied across the organization

http://www.secureassure.com


Example
Example:

  • A proper password policy

    • Passwords are required for all forms of network and application access

    • Password strength is mandated to meet a specific level (IE: 7 Chars, Alpha-Num, w/special characters and mixed case)

    • Password rotation is large enough to prevent password reuse issues

    • Administrative/root access is strongly protected, requiring a token

http://www.secureassure.com


Another policy issue
Another Policy Issue:

  • Poor Domain Trust Choices

    Who trusts who?

    • Weak trust structure

      • Types of trust

      • Some domains have less security than others

http://www.secureassure.com


Example1
Example:

  • Good Domain Trust Choices

    Who trusts who?

    • Unidirectional trust

      • Allows work to be done

      • Protects Production domain

http://www.secureassure.com


Process issues
Process Issues:

  • Information Leakage Problems

    Who’s saying what?

    • Example of Usenet leakage

      "Gary Smith" <Gary [email protected]> wrote in message news:[email protected]..

      I have a data communication application that uses TAPI 2.x for doing async modem protocols. This application has been in use for three years. I have discovered a problem, and can recreate it where data is lost somewhere between the modem and my application but it only happens on Windows 2000 machines. If I run it on a Windows NT 4.0 machine, it works fine...

http://www.secureassure.com


Process solution
Process Solution:

  • Combating Information Leakage

    Who’s saying what?

    • Have technical staff members use email and Usenet posting addresses not associated with the organization

    • Make sure users know not to post corporate identifiers online

    • Monitor the Internet for information leakage problems and address them ASAP

http://www.secureassure.com


Problems with patching
>Problems with Patching

http://www.secureassure.com


Poor patch management
Poor Patch Management

  • Systems are not current on patches/hotfixes

  • Patches are not consistently applied throughout the organization

  • Patches are more than security, they also may provide:

    • Stability

    • New Features

    • New Ways to Prevent Illicit Access

  • Patch problems can hurt you!

http://www.secureassure.com


Patching details matter
Patching Details Matter

  • Sometimes, patches have to be applied in a specific order or manner

    • Failing to do so, may actually INCREASE your vulnerability!

http://www.secureassure.com


Proper patch management
Proper Patch Management

  • Patch levels are monitored on a regular basis using manual processes or automated vulnerability assessments

  • Patches are tested in a isolated environment before being applied to production systems and devices

  • Patches apply to operating systems, applications and even hardware devices

  • Policies and standards clearly define the mechanisms and frameworks for acquiring, testing and deploying patches, fixes and version upgrades

http://www.secureassure.com


Configuration downfalls
>Configuration Downfalls

http://www.secureassure.com


Configuration issues
Configuration Issues

  • Poorly configured perimeter implementations

    • Example: Firewall rules are not granular or allow too much access

  • Internal network does not meet industry standard best practices

    • Example: Unnecessary services offer footholds for attackers

  • Systems are not adequately hardened

    • Example: Access controls allow easy access to confidential data

http://www.secureassure.com


Proper perimeters
Proper Perimeters

  • Access controls systems (ie: firewalls, router, etc.) start with a deny all attitude

  • Services are added with specific granularity as required for business

  • Internet visible systems are physically and logically segregated from production networks

  • Intrusion detection tools allow for easy anomaly and danger identification

  • Systems are carefully monitored via log files or agents using a manual or automated process

  • Alternate forms of access (ie: remote management, VPN, RAS, etc.) terminate in a DMZ or segregated segment

http://www.secureassure.com


Proper network configuration
Proper Network Configuration

  • Domain trusts are properly applied and implemented

  • Unneeded services are not running on network connected systems and devices

  • Proper egress controls assist in preventing malware spreading and attacks against other networks

  • IDS is deployed to assist with problem detection and troubleshooting

  • The network is monitored for changes in performance and traffic levels which could indicate a security or other type of issue

http://www.secureassure.com


Proper system configuration
Proper System Configuration

  • Systems are hardened in accordance with a baseline

    • Examples: SANS configurations, CIS baselines

  • Systems are up to date on patches and fixes

  • Unneeded services have been disabled

  • All systems use anti-virus software with regular automatic updates

  • Personal firewalls are deployed where appropriate, at a minimum on all laptops and notebooks

  • Access controls have been appropriately applied to each device and its file system

  • Users are aware of existing policies and guidelines

http://www.secureassure.com


Keeping it all together
Keeping it All Together

  • You have a complex environment

  • Not all users will behave as expected

  • Patches and fixes come fast and furious

  • How do you keep all these variables under control?

    REGULAR ASSESSMENT & MONITORING

http://www.secureassure.com


How to fail a penetration test

Implement poor policies and processes

No policies and processes also count!

Mismanage patches and fixes

Misconfigure your perimeter, network and/or systems

Take a number, attackers will be right with you…

How To Fail A Penetration Test

http://www.secureassure.com


Thank You

Sogeti USA

http://www.sogeti-usa.com

Chris Rice

[email protected]

Or

Scott Teeters

[email protected]

more information


ad